CN107209831A - System and method for recognizing network attack - Google Patents
System and method for recognizing network attack Download PDFInfo
- Publication number
- CN107209831A CN107209831A CN201580061985.1A CN201580061985A CN107209831A CN 107209831 A CN107209831 A CN 107209831A CN 201580061985 A CN201580061985 A CN 201580061985A CN 107209831 A CN107209831 A CN 107209831A
- Authority
- CN
- China
- Prior art keywords
- dom
- code
- codes
- flo
- tester
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0246—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
- H04L41/0273—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/032—Protect output to user by software means
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Abstract
This disclosure relates to system (1) and detect and resist using this system (1) browser go-between and/or go-between's type network attack method.The system (1) includes flo-tester (2), and wherein the flo-tester (2) is with being populated with Web browser (4) with the client computer (3) for carrying out internet browsing and the Web server (5) for being populated with web application (6) progress signal communication.Flo-tester (2) is configured as receiving the request associated with web application (6) from Web browser (4), and Web browser (5) is sent this request to, flo-tester (2) is configured as receiving the DOM code server associated with the request from Web server (5).The system is characterized in that, the system includes NetStream Data Analyzer (7), wherein the NetStream Data Analyzer (7) carries out signal communication with flo-tester (2) and algorithm application program (8) is populated with NetStream Data Analyzer (7), flo-tester (2) is configured as to DOM code servers addition default code part, thus generation will be sent to the DOM client codes of Web browser (4) is presented code to receive the DOM associated with DOM client codes, flo-tester (2) is configured as sending DOM client codes and DOM presentation codes to NetStream Data Analyzer (7), algorithm application program (8) is configured as handling DOM presentation codes, so that DOM presentation codes to be compared with DOM client codes, thus at least one code difference is recognized.
Description
Technical field
This disclosure relates to the system and method for detecting and resisting network attack.
Especially, this disclosure relates to for detect and resist browser go-between (Man-in-the-Browse) and/or in
Between people (Man-in-the-Middle) attack method.In other words, the invention allows to monitor and protect Web application journeys
Attack of the sequence (Web server) from the Web browser for client.
Background technology
The known technology in the computer security attack for including browser go-between and/or man-in-the-middle attack for resisting
In, use antivirus software.Browser go-between is to include directly manipulating Web browser changing usual when user accesses website
The attack of the type of the content shown to him/her.Browser go-between (MitB) attack is made in the case of user is unwitting
Performed with the Malware installed on computer.This Malware (for example, acting on behalf of Trojan Horse) and web browsing
The memory interaction of device process, the normal flow that (used in Web browser) system is called is redirected to following spy
Determine Malware function, wherein these Malware functions, which have, for example injects additional HTML code downloaded Web page
In purpose.It should be noted that between in a browser in the case of people's attack, with the original Web server for the website attacked
Connection is set up, this causes attack detecting difficult.Therefore, Web browser and web application can not recognize Malware to Web
The content that the content of browser actual download is added.Have been acknowledged by including following various man-in-the-browser attacks:From electricity
The credit card information of sub- bank and e-commerce website is stolen and often not with being automatically begun in the case of user mutual
Fraudulent transactions.
In more detail, when user asks Web page (that is, web application) via Web browser, trustship Web page
Web server sends html source code (DOM Document Object Model, DOM) to Web browser.DOM code is transferred into web browsing
The presentation engine of device is shown with feeding to user.For example, in the PC being infected by malware, Web browser is from Web service
The DOM code that device is received is changed before by the processing of the presentation engine of Web browser by Malware.Therefore, Malware
Extracode (for example, script) is injected into the Malware from the DOM code that Web server is received, with change to
The content that family is shown.Change of the Malware to made by the DOM code downloaded from Web server be HTML and/or
The change of javascript codes and/or any other interior perhaps web resource.As described above, along with can include figure and/
Or behavior change change, Web browser be connected to original Web server.Therefore, amended Web page is shown to user, its
In the amended Web page reproduce the Web page of client request originally.Client allows to access in the case of non-personal inclination
The personal data of its own authorize the fraudulent transactions for being directed to his/her own account.
For example, in the bank field, the computer being infected by malware is usually using HTTPS protocol entries to Internet bank
Website, and download Web page data.However, Malware is by adding transaction manipulation script and for example being transferred accounts automatically,
To change the data in real time.Actual the transferring accounts for reservation of user can also be redirected to other recipients by script, or simpler
Credit card information and/or addition added field singly are asked so that user is filled using additional data.
Prior art problem
The antivirus software installed in PC or client user's device (for example, smart phone, tablet personal computer etc.) is in resistance
It is less effective in terms of this computer security threat.Antivirus software can only recognize the browser go-between occurred via internet
A part for attack.It it is known that and meet high safety standard or the Web browser with Internet security software.However, existing
The solution of technology can not be reasonably resistant to browser go-between.
The content of the invention
It is an object of the invention to provide a kind of system for preventing network attack.
It is a further object of the present invention to provide a kind of method that man-in-the-browser attacks are prevented using this system.
It is yet another object of the invention to provide a kind of following system, the wherein system is used to detect Malware to user institute
Change made by the Web page of download and/or the DOM of web resource HTML and/or javascript codes, and prove hair
Deliver to the web resource of given client and/or the content of the page and/or DOM it is actual exactly being shown to the given client or
Person should give content and/or the DOM that client is used.
The a further object of the present invention is to provide a kind of method for preventing network attack.
The advantage of the present invention
One embodiment is provided between a kind of web application in Web browser and just monitored, to made by user
The system that HTTP and/or HTTPS request are intervened.
Another embodiment provides a kind of system and a kind of recognized using this system is directed under web application reality
The method of any change of the DOM code of load.This will make it possible to recognize man-in-the-browser attacks, to ensure to be asked
Web page is suitably shown to user.
Brief description of the drawings
By below in the accompanying drawings as the detailed description of the possible specific embodiment shown in non-limiting example,
The feature and advantage of the disclosure will be evident, wherein:
- Fig. 1 shows the embodiment for being used to recognizing and preventing the system of network attack according to the disclosure;
- Fig. 2 shows another embodiment of the system for preventing network attack according to the disclosure;
- Fig. 3 shows the flow chart of the method for preventing network attack according to the disclosure;
- Fig. 4 shows the flow chart of the particular step of the method for preventing network attack according to the disclosure;
- Fig. 5 shows the flow chart of the specific sub-step of the method for preventing network attack with reference to Fig. 4.
Embodiment
It is as real with reference to other typical cases in also should be used as with reference to each feature as described in specific embodiment even if not clearly stating
Apply the auxiliary of the further feature described in example or be interchangeable with these further features.
The present invention relates to the system 1 for recognizing network attack, particularly man-in-the-browser attacks.
With reference to Fig. 1 and 2, system 1 includes carrying out the flo-tester 2 of signal communication with least one client computer 3,
Wherein it is populated with Web browser 4 to carry out internet browsing in the client computer 3.
Flo-tester 2 and the progress signal communication of Web server 5 for being populated with web application 6.
In an aspect, user can use the Web browser 4 in client computer 3 to ask to reside in Web clothes
The web application 6 (for example, Web page) being engaged in device 5.In other words, user's (or client) is used in client computer 3
The Web browser 4 installed accesses Web page.Obviously, during use, client computer 3 should be via wired or mobile electricity
Words equipment or any other known communication means are connected to internet.
Flo-tester 2, which is configured as receiving at least one associated with web application 6 from Web browser 4, asks
Ask, and this request is sent to Web server 5.
Flo-tester 2 is configured as receiving the related DOM code servers of request from Web server 5.That is, the request
It is to ask to uniquely identify the internet resource that resides in Web server 5 using Web browser 4 in user (that is, Web should
With program 6) address when generated by Web browser 4.
Preferably, flo-tester 2 be configured with HTTP or HTTPS agreements at least to receive from Web browser 4 with
The associated request of web application 6, and this request is sent to Web server 5.
According to preferred embodiment, flo-tester 2 is designed to be arranged in web application 6 as component software, with
And/or person is used as firewall software module and/or load equalizer and/or the network equipment and/or hardware unit and/or software mould
Block is arranged in the Web server 5 of trustship web application 6.
Preferably, flo-tester 2 be arranged on in the identical network of web application 6 (for example, preset (on-
Premises)) or it is arranged to external service (for example, SaaS or cloud).
System 1 includes being populated with the NetStream Data Analyzer 7 of algorithm application program 8.This NetStream Data Analyzer 7 and flo-tester
2 carry out signal communication.
According to preferred disposition, flo-tester 2 and/or NetStream Data Analyzer are component softwares.It is highly preferred that flo-tester
And/or NetStream Data Analyzer is the component of private server.
Preferably, flo-tester 2 and NetStream Data Analyzer 7 are communicated by sending operation, and can be via all
Such as TCP, UDP, HTTP (S) and IMAP one or more known communication protocols send these operations.
Advantageously, NetStream Data Analyzer is located at the outside for the data flow that HTTP/HTTPS is asked, and can be independently of this
Data flow and work.
Flo-tester 2 is configured as agent code part being added to DOM code servers, thus generates DOM client
Hold code.In addition, flo-tester 2 is configured as sending DOM client codes to Web browser 4.
With reference to more than, DOM code servers (for example, HTML code) are received and carried out by the presentation engine of Web browser 4
Processing so that user can be shown to using the content of web application 6 as hypertext (for example, Web page).
In addition, flo-tester 2 be configured as receiving the DOM associated with DOM client codes from Web browser 4 be in
Modern code.
In other words, it is to be carried out the processing of DOM client codes by the presentation engine of Web browser 4 and obtained that code, which is presented, in DOM
Arrive.
Therefore, DOM client codes are that Malware may dive to carry out browser go-between or man-in-the-middle attack
In the code of change.As described above, Malware is by being transferred into the presentation engine of Web browser 4 in DOM client codes
Change the DOM client codes before, to distort the built-in function (also known as linking up with (hooking)) of browser.Therefore, if
DOM client codes are modified, then DOM is presented code and is also modified.
According to preferred disposition, DOM code servers are the HTML code associated with request and/or javascript generations
Code.
Preferably, agent code part is HTML code and/or javascript codes.
It should be noted that DOM client codes at least include DOM code servers and agent code part.
According to preferred embodiment, agent code part is default code, and wherein the default code is preferably arranged to Web
Browser provides at least one instruction to send DOM presentation codes to flo-tester 2.
Flo-tester 2 is configured as at least sending DOM client codes and DOM presentation codes to NetStream Data Analyzer 7.
Algorithm application program 8 in NetStream Data Analyzer 7, which is configured as code is presented to DOM, to be handled, and by the DOM
Code is presented to be compared with DOM client codes, to recognize at least one code difference.Preferably, the quilt of algorithm application program 8
It is configured to identify that the network attack that can be attacked with browser go-between (MitB) etc. is relevant in the algorithm application program 8
At least one code difference in the case of, generation attack indication signal (for example, MitB alarms).
According to preferred disposition, code is presented to DOM and is handled to provide expected DOM clients for algorithm application program 8
The estimation of code.In more detail, it is generation DOM that algorithm application program 8, which is configured to supply by the presentation engine of Web browser 4,
The estimation of the expected DOM client codes handled by code is presented.By expected DOM client codes and original DOM client
End code (that is, the DOM client codes that the script of client computer 3 is received) be compared, with recognize the two codes it
Between matching.In other words, it is contemplated that both/original DOM client codes before presentation DOM client codes not by
It is identical and consistent, or in the case of code difference is not because caused by there is Malware, be in the case of change
It is similar and matching.
According to the present invention, being identified in algorithm application program 8 may be relevant with network attack (MitB attacks etc.)
In the case of at least one code difference, it is contemplated that both/original DOM client codes will be intended that unmatched.
Preferably, algorithm application program 8 thus is over time by programmable device or using learning system come manually implemented
Variable (polymorphism).It is highly preferred that realizing particular row of the learning system of algorithm application program 8 for example based on Web browser 4
For the statistical analysis of (for example, user agent pretends).
As used in this document, term algorithm application program refers to be scheduled on the journey just performed in NetStream Data Analyzer 7
Sequence or a series of programs, enable to DOM client codes being compared with DOM presentation codes, so as to check both
Between mismatch.Especially, algorithm application program 8 is that code can be presented to DOM to be handled to be in the modern times by the DOM
Program or a series of programs that code is compared with DOM client codes.For example, the algorithm uses acquiescence and appropriately configured work(
Can be (that is, soft by malice by the expection DOM client codes of the presentation engine received and processed of Web browser 4 to provide
The code that part potentially changes) estimation.The row of particular Web browser of the default feature due to considering to realize the default feature
For study mechanism and changed (polymorphism) with the process of time.Because DOM is presented in each Web browser 4 in a specific way
Client code, it is therefore intended that default feature is specific for each Web browser 4.In other words, algorithm application program
8 default feature carries out " inverse function " that code is presented in DOM.Thus, once algorithm application program 8 receives DOM and code is presented,
Algorithm application program 8 can just provide the estimation of the expected DOM client codes of the actual treatment of Web browser 4.Due to acquiescence
Function considers the behavior of Web browser 4, therefore this is possible.Utilize plain text difference (plain-text diff) etc.
Comparing function will be compared using the expected DOM client codes estimated by default feature with DOM client codes, with
Generation includes one group of fragment code of the difference between detected DOM client codes and expected DOM client codes.
These fragments are the code sections potentially injected by Malware.
As used herein, term " text difference ", which is intended to conduct, can compare two texts (for example, HTML code is literary
This) and from the application program of the two Text Feature Extraction differences.
In other words, " text difference " is to be compared by the plain text between two respective codes of file (for example, passing through
Text covering, keyword search, spell check) protrude the program (that is, comparing function) of the difference between both of these documents.
According to preferred embodiment, algorithm application program 8 reside in flo-tester 2 and/or client computer 3 and/or
In Web server 5.Preferably, algorithm application program 8 is divided into the subfunction performed on multiple component softwares.Preferably,
In flo-tester 2 and/or NetStream Data Analyzer 7 and/or client computer (for example, Web browser 4) and/or Web server
These subfunctions are performed in 5.
According to preferred embodiment, before " the text difference " for carrying out two DOM codes compares, NetStream Data Analyzer 7 or stream
Amount detector 2 is presented code to DOM client codes and DOM and handled, so as to the two code standardizations and make it possible to
Enough compare the two codes.
The processing is for example removed and character code management including space and carriage return.
For sake of simplicity, the comparison between code is presented below with reference to DOM client codes and DOM, should with preparative algorithm
All steps of application, text comparison in difference and the DOM code standardization of the default feature carried out with program 8 etc..
As described above, the comparison (possibly utilizing " text difference ") that DOM client codes and DOM are presented between code makes
The code difference of also known as fragment can be extracted by obtaining.
Each fragment is uniquely identified by its MD5 hash.
In addition, each fragment will be divided with being formed for such as user agent's (that is, type of Web browser used in user) etc.
The basic metadata of analysis cluster used is associated.Because each user agent (that is, Web browser 4) is handling or presented process
During or after previously received DOM client codes are handled in a different manner, it is therefore desirable to above-mentioned association.
For example, some fragments identification slight change (for example, blank is removed, code retraction, the weight of parameter in each label
New sort) or structure change (for example, without when addition close label, code in its original html format include mistake
Shi Jinhang Code Formats).
Pin included in change made by some other fragment identification Web browsers 4, such as web resource or Web page
The generation on web resource or the page is presented in script that this or the resource or the page itself are generated etc., wherein these change modifications
Code.These fragments are also known as application program fragment.
For example, drawing using browser plug-in, i.e. using browser go-between technique works or by go-between's technology
The Malware entered, can generate some more multiple clips of referred to as outside fragment.
As described above, Malware in DOM client codes by being transferred into before the presentation engine of Web browser 4
Change the DOM client codes, to distort the built-in function (also known as linking up with) of browser.
Extracted difference (that is, fragment) is analyzed using the comparing function and other functions of algorithm application program 8.
These differences (or fragment) can be insertion or removal type.
Preferably, on the base by particular cluster (for example, the fragment classified by user agent or by operating system) tissue
Line (for example, baseline based on statistics) assesses these fragments each.
NetStream Data Analyzer 7 can be configured as sending at least attack recognition signal to flo-tester 2, and/or protect
Signal message is deposited, and/or transmits the signal to external system.
According to a configuration, system 1 includes computer management device 9, wherein the computer management device 9 and flo-tester 2
Signal communication is carried out with NetStream Data Analyzer 7, and is configured such that user can be to flo-tester 2 and NetStream Data Analyzer 7
Operation be programmed and monitor the operation.
Preferably, flo-tester 2 is configured as receiving attack recognition signal and at least attack recognition signal will sent
To Web browser 4.
Preferably, NetStream Data Analyzer 7 is configured as sending attack recognition signal to computer management device and/or outside system
System.
According to preferred embodiment, the algorithm application program 8 in NetStream Data Analyzer 7 was configured as at least DOM clients generation
Code is presented code with the DOM after processing and is compared, with generated when code mismatch is presented in DOM client codes and DOM to
A few attack recognition code.
According to preferred embodiment, computer management device 9 is control panel, wherein via the control panel, user can enter
Row is following to be operated:
The situation of-monitoring system 1;And/or
- watch, check and/or monitoring request and flow in real time;And/or
- viewing, inspection and/or monitoring request and flow histories;And/or
- monitoring, setting and management attack recognition signal (for example, safety alarm) or information signal;And/or
- display, management system configuration 1 and system component and/or change is made to system configuration 1 and system component.
Advantageously, because each request of the analysis of system 1, therefore system 1 provides general in the ession for telecommunication synthesis that a situation arises
State.
Advantageously, system 1 of the invention make it possible to efficiently and safely to recognize and resist browser go-between and/or in
Between people attack, thus provide to user ask comprehensive monitoring.
It is used to recognize browser go-between and/or go-between's net using the system 1 of the present invention the invention further relates to a kind of
The method of network attack, comprises the following steps:
- request for web application 6 or web resource is generated using URI or URL via Web browser 4;
- Web server 5 is sent this request to using flo-tester 2;
- the DOM server generations automatically generated by Web server 5 according to the request are received using flo-tester 2
Code;
- utilize flo-tester 2 that agent code part is added into DOM code servers, thus generate DOM client generations
Code and the DOM client codes are sent to Web browser 4;
- received using Web browser 4 and handle DOM client codes, to automatically generate DOM presentation codes and incite somebody to action
The DOM is presented code and sent to flo-tester 2;
- DOM presentation codes are received using flo-tester 2 and by above-mentioned DOM client codes and the DOM in the modern times
Code is automatically sent to NetStream Data Analyzer 7;
- at least DOM clients are received, handle and compared using the algorithm application program 8 resided in NetStream Data Analyzer 7
Code is presented in code and DOM, and at least one attack recognition is generated to be presented in DOM client codes and DOM when code is mismatched
Signal.
According to preferred embodiment, comprise the following steps for sending the step of asking:
- request is sent using HTTP or HTTPS agreements;
- agent code part is HTML and/or Javascript codes, or using Web browser can explain it is another
The code and/or language of one type;
- DOM client codes at least include DOM code servers and default code part.
According to preferred embodiment, for receiving and handling DOM client codes with automatically generate DOM present code the step of
Comprise the following steps:
- DOM client codes are received using Web browser 4;
- DOM code servers included in DOM client codes are handled using Web browser, to automatically generate
Code is presented in DOM;
- agent code part included in DOM client codes is handled using Web browser 4, DOM is presented
Code is sent to flo-tester 2.
According to preferred embodiment, for receiving and comparing using the algorithm application program 8 resided in NetStream Data Analyzer 7
At least DOM client codes and DOM are presented code, generated at least with being presented in DOM client codes and DOM when code is mismatched
The step of one attack recognition signal, comprises the following steps:
- by attack recognition signal send to flo-tester 2 and/or Web browser 4 and/or computer management device 9 and/
Or external unit.
According to preferred embodiment, for receiving and comparing using the algorithm application program 8 resided in NetStream Data Analyzer 7
At least DOM client codes and DOM are presented code, generated at least with being presented in DOM client codes and DOM when code is mismatched
The step of one attack recognition signal, comprises the following steps:
- using the algorithm application program 8 resided in NetStream Data Analyzer 7, received and compared by performing comparing function
At least code is presented in DOM client codes and DOM, is generated at least with being presented in DOM client codes and DOM when code is mismatched
One attack recognition signal.
Illustrate the application example of the method for the present invention below.
Application example-Fig. 3 of this method
This method comprises the following steps:
- user asks the Web site or application program of concern from client computer 3 using URI or URL (resource ID)
Resource or the page (block 301).Web browser 4 generates HTTP or HTTPS request, to be sent directly to and web application 6
Installed in the identical website or available flo-tester 2 in cloud environment.
- flo-tester 2 is used as reverse proxy system, reads Hostname, and check positive monitor and for its configuration
Original host name, address, URL or the URI of the position for the web application 6 that key is protected.Flo-tester 2 will
HTTP or HTTPS request are sent to Web server 5, and obtain the asked page DOM code servers (including
Cookie, head and other information) (block 302).
- flo-tester 2 is randomly generated UID (that is, personal code work) (block 303).If user has made request,
Included in Web browser 4 of the flo-tester 2 for example via user and the cookie that pre-registers carrys out reading client calculating
UID (block 303a) transmitted by machine 3, or generate and send new UID (block 303b).
Unique HID (that is, asking code) is randomly assigned to each individual HTTP or HTTPS request by-flo-tester 2
(block 304).
Agent code part (for example, script) is loaded (block 305) and adds (block 306) to being asked by-flo-tester 2
The page DOM servers in.Above-mentioned script can be to provide a series of functions and a series of marks HTML and/or
Javascript codes.As used herein, term mark, which is intended to specify, can take the free position (example in two states
Such as, "true" or "false", " unlatching " or " closing ", " 1 " or " 0 ") variable, and indicate whether using its value to actually occur
Whether given event or system are in particular condition.Indicate when only reaching given state or there occurs given event certainly
Used in code used in the dynamic specific operation performed.Can be according to the UID or IP for making request or according to can in system 1
Script or agent code are distinguished with any other variable of setting so that can be made by oneself for each user addition of customer group
Adopted script.
- flo-tester 2 sends the DOM clients including DOM code servers or script and agent code or script
To Web browser 4 (block 307).
The Web browser 4 of-user receives DOM clients, is presented the page, and automatically begins to script or agent code
Operate (block 308).
Once-Web browser 4 completes presentation processing or performs script or agent code, Web browser 4 is just passed through
By can fix (for example, http (s)://webapplication/check) or it is variable (for example, http (s)://
Webapplication/fjlc3f4 dedicated path) sends data to flo-tester 2, and this data are for example as follows:
A. it is used to check presentation behavior and for example identification BOT (corpse) or javascript disables the mark (block of event
309);
Code (block 310) is presented in b.DOM;
- flo-tester 2 receives this data via fixed or variable dedicated path, and for example by creating operation
Asynchronously to pack (block 311) and be sent to (block 312) to NetStream Data Analyzer.Operation is for example including data below:
A. metadata (for example, IP, user agent, request date/time, content-length, access source, main frame, UID,
HID);
B.DOM clients;
C.DOM is presented.
- NetStream Data Analyzer 7 obtain the data and based on algorithm application program 8 come start analysis (block 313).
The estimation that code is handled and rebuilds expected DOM client codes is presented to DOM for-algorithm application program 8.
In addition, algorithm application program 8 is compared between DOM client codes and expected DOM client codes, (addition is extracted
Or subtraction) difference, and independently these differences are classified (block 314).These differences are individually referred to as fragment (block 315).
- algorithm application program 8 is handled these differences, to assess the risk class (block of identified fragment
316).Specific fragment is as caused by user browser, and to be referred to as browser behavior fragment (for example, the sorting of parameter, non-
The addition of closure label), other fragments are by plug-in unit or by the outside fragment of Malware (for example, Zeus) addition, other
Section is the application program fragment for being generated and being added by web application.
Once-NetStream Data Analyzer 7 completes analysis, NetStream Data Analyzer 7 distributes risk class to HTTP or HTTPS request,
And possibly take the countermeasure (block 317) of alarm, warning or flow stop etc..
All data of-storage, and the administrative staff of web application 6 can utilize these via computer management device 9
Data (block 318).
Illustrate the application example of the step performed by the algorithm application program 8 of the present invention below.
Referring also to Fig. 4, algorithm application program 8 has the mathematical operation based on statistics, and it comprises the following steps:
- create cluster key (block 401) for request.The key is, for example, by the distinctive environmental variance (example of cluster
Such as, browser, browser version, OS, os release, country) hashed what (for example, md5 hash) created.One example is such as
It is lower described.
Cluster_key=md5 (browser (browser)+version (version)+OS+ is national (country))
- Maked Path key (block 402) for request.The key is, for example, to be entered by the URL to HTTP or HTTPS request
Row hash (for example, md5 is hashed) is created.One example is as described below.
Path_key=md5 (path_request)
- merge the cluster key and path key of the request, key (block 403) is asked in thus definition.Example:
Request_key=cluster_key+path_key
- increase request_key value (block 404).Example:
increment(request_key,1)
- DOM client codes is normalized (block 405) and make DOM that code normalization (block 406) is presented.Example:
Normalized_dom_rendered=normalize (dom_rendered)
Normalized_dom_client=normalize (dom_client)
- perform comparing function to be compared the DOM presentation codes after normalization and the DOM client codes after normalization
Compared with (block 407), to obtain the list (block 408) of fragment.For example:
Snippet_array=compare (normalized_dom_rendered, normalized_dom_client)
- for snippet_array each element execution following steps (block 409).
In this respect and Fig. 5 is referred to, there is the step of creating the key for recognized fragment (block 501).This is close
Key is by being hashed the distinctive variable of fragment (for example, content, type [insertion is deleted], size) (for example, md5 dissipates
Row) created.One example is as described below:
A.snip_key=md5 (snippet_array [N] (type (type))+snippet_array [N] (length
(len))+snippet_array [N] (content (content)))
B. segment key and request key are merged to obtain statistics segment key (block 502)
Stat_snip_key=request_key+snip_key
C. stat_snip_key value (block 503) is increased:
increment(stat_snip_key,1)
D., request_key values and stat_snip_key values are compared to risk to define recognized fragment etc.
Level (block 504).For example, being compared as follows described:
I. in the case where identifying behavior segment, if extract_value_of (stat_snip_key)==
Extract_value_of (request_key), then risk class is low (block 505).
Ii. in the case where identifying application program fragment or outside fragment (for example, browser plug-in), if
extract_value_of(stat_snip_key)<Extract_value_of (request_key), then risk class is medium
(block 506).
Iii. in the case of fragment outside the browser go-between or go-between for identifying excessive risk, if extract_
value_of(stat_snip_key)<<Extract_value_of (request_key), then risk class is high (block 507).
In other words, the characteristic feature of algorithm application program 8 includes being compared the frequency of the fragment in cluster.
In the event of number of times reasonably close to baseline, then fragment is the related behavior segment of browser and/or by a large amount of wide
Fragment caused by general plug-in unit.
In this case, algorithm distributes low or zero risk class.
However, deviating from baseline in the event of number of times, then in the presence of unexpected significant differences.
According to Multiple factors (for example, the length of amended code, type of the code injected), algorithm application program
Medium-very high risk class of 8 distribution.
Advantageously, because each request of the analysis of system 1, therefore system 1 provides the ession for telecommunication Summary that a situation arises.
For example, the method that system 1 is realized can detect herein below:
- request is to come from human user or BOT;
- request has " reasonable " still " unreasonable " timing;
- request from user agent and IP;
- request from UID.
Advantageously, method of the invention provides the complete tracking and session monitoring of user (that is, client user).
According to preferred embodiment, this method comprises the following steps:
- automatically remove malice fragment by providing the feedback to the Web browser 4 of user;
- obtain screenshot capture and behavioural analysis of the user on the page;
- user path in Web site is analyzed via request time line;
- by change property value, link value, form, field and/or the function of HTML and/or Javascript codes come
Change DOM code servers;
- DOM code servers are changed by the content of addition, modification and/or reorganization DOM code servers.
Advantageously, method 1 of the invention makes it possible to browse efficiently and safely to recognize and resist by using system 1
Device go-between and/or man-in-the-middle attack, thus provide the comprehensive monitoring asked user.
Those skilled in the art will substantially understand, as defined in appended claims, without departing from the present invention
Scope in the case of, multiple changes as described above can be carried out and deform to realize particular requirement.
Claims (12)
1. a kind of system (1) for being used to recognize network attack, including:
Flo-tester (2), it carries out signal communication with least one client computer (3) and Web server (5), wherein
The client computer (3) has the Web browser (4) resided therein to carry out internet browsing, and Web clothes
Business device (5) has the web application (6) resided therein,
The flo-tester (2) is configured as the user in the client computer (3) via the Web browser (4)
When asking at least one request associated with the web application (6), the request is received from the Web browser (4)
And the request is sent to the Web browser (5),
The flo-tester (2) is configured as receiving the related DOM code servers of request from the Web server (5),
Characterized in that, the system also includes:
NetStream Data Analyzer (7), wherein the NetStream Data Analyzer (7) has the algorithm application program (8) resided therein, the stream
Contents analyzer (7) carries out signal communication with the flo-tester (2),
The flo-tester (2) is configured as, to DOM code servers addition agent code part, thus generating DOM
Client code and the DOM client codes are sent to the Web browser (4),
The flo-tester (2) is configured as receiving associated with the DOM client codes from the Web browser (4)
DOM present code,
The flo-tester (2) is configured as at least sending the DOM client codes and DOM presentation codes to institute
NetStream Data Analyzer (7) is stated,
The algorithm application program (8) is configured as handling DOM presentation codes, and the DOM is presented into code
It is compared to recognize at least one code difference with the DOM client codes.
2. system (1) according to claim 1, wherein, the flo-tester (2) be configured with HTTP or
HTTPS agreements at least to receive the request associated with the web application (6) from the Web browser (4), and
The request is sent to the Web server (5).
3. system (1) according to claim 1, wherein, the DOM code servers are associated with the request
HTML and/or Javascript codes, the agent code part is HTML and/or Javascript codes, and the DOM
Client code at least includes the DOM code servers and the agent code part.
4. system (1) according to claim 1, wherein, the agent code is partially configured as indicating the web browsing
Device (4) sends DOM presentation codes to the flo-tester (2).
5. system (1) according to claim 1, wherein, in addition to computer management device (9), wherein the compliant tube
Manage device (9) and carry out signal communication with the NetStream Data Analyzer (7), and be configured such that user can be to the flow analysis
The operation of device (7) is programmed and monitored.
6. system (1) according to claim 1, wherein, the NetStream Data Analyzer (7) is configured as in the algorithm application
Program (8) generates attack recognition signal in the case of identifying at least one described code difference, and by the attack recognition
Signal is sent to the flo-tester (2) and/or the Web browser (4) and/or computer management device (9) and/or outside
Unit, and/or the attack recognition signal is stored in database.
7. system (1) according to claim 1, wherein, the algorithm application resided in the NetStream Data Analyzer (7)
Program (8) be configured as to the DOM present code handle, with using comparing function come by the DOM present code with
The DOM client codes are compared, so that the unmatched feelings of code are presented in the DOM client codes and the DOM
At least one attack recognition signal is generated under condition.
8. a kind of method for recognizing browser go-between and/or go-between's network attack, it is used such as preceding claims
Described system (1) is identified, it is characterised in that the described method comprises the following steps:
Request of the URI or URL generations for web application (6) or web resource is used via Web browser (4);
The request is sent to Web server (5) using flo-tester (2);
DOM code servers are received using the flo-tester (2), wherein the DOM code servers are by the Web
Server (5) is automatically generated according to the request;
Agent code part is added to the DOM code servers using the flo-tester (2), DOM client is thus generated
End code simultaneously sends the DOM client codes to the Web browser (4);
The DOM client codes are received and handled using the Web browser (4), and code is presented simultaneously to automatically generate DOM
DOM presentation codes are sent to the flo-tester (2);
The DOM is received using the flo-tester (2) and is presented code, and by DOM client codes and described
DOM is presented code and is automatically sent to NetStream Data Analyzer (7);And
It is at least described receiving, handling and comparing using the algorithm application program (8) resided in the NetStream Data Analyzer (7)
Code is presented in DOM client codes and the DOM, with unmatched in the DOM client codes and DOM presentation codes
In the case of generate at least one attack recognition signal.
9. method according to claim 8, wherein, comprise the following steps the step of for sending the request:
The request is sent using HTTP or HTTPS agreements,
Wherein, the agent code part is HTML and/or Javascript codes or can explained using Web browser
Other types of code and/or language,
The DOM client codes at least include the DOM code servers and default code part.
10. method according to claim 9, wherein, for receiving and handling the DOM client codes to automatically generate
The step of code is presented in the DOM comprises the following steps:
The DOM client codes are received using the Web browser (4);
The DOM code servers included in the DOM client codes are handled using the Web browser (4), with
Automatically generate the DOM and code is presented;And
The agent code part included in the DOM client codes is handled using the Web browser (4), with
DOM presentation codes are sent to the flo-tester (2).
11. method according to claim 8, wherein, for utilizing the calculation resided in the NetStream Data Analyzer (7)
Code is presented with DOM visitors to receive and compare at least described DOM client codes and the DOM in method application program (8)
Family end code and the DOM present code it is unmatched in the case of include the step of generate at least one attack recognition signal it is following
Step:
The attack recognition signal is sent to the flo-tester (2) and/or the Web browser (4) and/or computer
Manager (9) and/or external unit.
12. method according to claim 8, wherein, for utilizing the calculation resided in the NetStream Data Analyzer (7)
Code is presented with DOM visitors to receive and compare at least described DOM client codes and the DOM in method application program (8)
Family end code and the DOM present code it is unmatched in the case of include the step of generate at least one attack recognition signal it is following
Step:
Using the algorithm application program (8) resided in the NetStream Data Analyzer (7), received by performing comparing function
And compare at least described DOM client codes and DOM presentation codes, to be in the DOM in the DOM client codes
At least one attack recognition signal is generated in the case of modern code is unmatched.
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462079337P | 2014-11-13 | 2014-11-13 | |
EP14192969.5 | 2014-11-13 | ||
EP14192969 | 2014-11-13 | ||
US62/079,337 | 2014-11-13 | ||
PCT/IB2015/058307 WO2016075577A1 (en) | 2014-11-13 | 2015-10-28 | System and method for identifying internet attacks |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107209831A true CN107209831A (en) | 2017-09-26 |
CN107209831B CN107209831B (en) | 2021-02-05 |
Family
ID=54476706
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201580061985.1A Active CN107209831B (en) | 2014-11-13 | 2015-10-28 | System and method for identifying network attacks |
Country Status (4)
Country | Link |
---|---|
US (2) | US20170324772A1 (en) |
EP (1) | EP3219072B1 (en) |
CN (1) | CN107209831B (en) |
ES (1) | ES2882125T3 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109409080A (en) * | 2018-10-09 | 2019-03-01 | 北京北信源信息安全技术有限公司 | A kind of browser HTTPS auditing method and device |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3195171B1 (en) * | 2014-07-31 | 2019-11-06 | Namogoo Technologies Ltd. | Detecting and removing injected elements from content interfaces |
US20170195293A1 (en) * | 2015-12-31 | 2017-07-06 | Check Point Software Technologies Ltd. | System and method to detect and prevent phishing attacks |
US9954894B2 (en) * | 2016-03-04 | 2018-04-24 | Microsoft Technology Licensing, Llc | Webpage security |
US10382266B1 (en) * | 2016-03-16 | 2019-08-13 | Equinix, Inc. | Interconnection platform with event-driven notification for a cloud exchange |
US10313418B2 (en) * | 2016-06-20 | 2019-06-04 | Ramp Holdings, Inc. | Chunked HTTP video cache routing |
US10275596B1 (en) * | 2016-12-15 | 2019-04-30 | Symantec Corporation | Activating malicious actions within electronic documents |
US10289836B1 (en) * | 2018-05-18 | 2019-05-14 | Securitymetrics, Inc. | Webpage integrity monitoring |
US11102237B2 (en) * | 2018-05-25 | 2021-08-24 | Jpmorgan Chase Bank, N.A. | Method and system for improved malware detection |
US10929878B2 (en) * | 2018-10-19 | 2021-02-23 | International Business Machines Corporation | Targeted content identification and tracing |
US11368477B2 (en) * | 2019-05-13 | 2022-06-21 | Securitymetrics, Inc. | Webpage integrity monitoring |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616008A (en) * | 2008-06-27 | 2009-12-30 | 国际商业机器公司 | The method and system of protecting network application data |
US20120291129A1 (en) * | 2011-05-13 | 2012-11-15 | Amichai Shulman | Detecting web browser based attacks using browser digest compute tests launched from a remote source |
CN103458037A (en) * | 2013-09-06 | 2013-12-18 | 南京南自信息技术有限公司 | Method and device for providing complex web applications in resource-constrained environment |
US8869281B2 (en) * | 2013-03-15 | 2014-10-21 | Shape Security, Inc. | Protecting against the introduction of alien content |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8225401B2 (en) * | 2008-12-18 | 2012-07-17 | Symantec Corporation | Methods and systems for detecting man-in-the-browser attacks |
US9584543B2 (en) * | 2013-03-05 | 2017-02-28 | White Ops, Inc. | Method and system for web integrity validator |
US9225737B2 (en) * | 2013-03-15 | 2015-12-29 | Shape Security, Inc. | Detecting the introduction of alien content |
US9270647B2 (en) * | 2013-12-06 | 2016-02-23 | Shape Security, Inc. | Client/server security by an intermediary rendering modified in-memory objects |
US9075990B1 (en) * | 2014-07-01 | 2015-07-07 | Shape Security, Inc. | Reliable selection of security countermeasures |
-
2015
- 2015-10-28 US US15/526,416 patent/US20170324772A1/en not_active Abandoned
- 2015-10-28 ES ES15795226T patent/ES2882125T3/en active Active
- 2015-10-28 CN CN201580061985.1A patent/CN107209831B/en active Active
- 2015-10-28 EP EP15795226.8A patent/EP3219072B1/en active Active
- 2015-11-12 US US14/939,888 patent/US11044268B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616008A (en) * | 2008-06-27 | 2009-12-30 | 国际商业机器公司 | The method and system of protecting network application data |
US20120291129A1 (en) * | 2011-05-13 | 2012-11-15 | Amichai Shulman | Detecting web browser based attacks using browser digest compute tests launched from a remote source |
US8869281B2 (en) * | 2013-03-15 | 2014-10-21 | Shape Security, Inc. | Protecting against the introduction of alien content |
CN103458037A (en) * | 2013-09-06 | 2013-12-18 | 南京南自信息技术有限公司 | Method and device for providing complex web applications in resource-constrained environment |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109409080A (en) * | 2018-10-09 | 2019-03-01 | 北京北信源信息安全技术有限公司 | A kind of browser HTTPS auditing method and device |
CN109409080B (en) * | 2018-10-09 | 2021-03-19 | 北京北信源信息安全技术有限公司 | Auditing method and device for HTTPS of browser |
Also Published As
Publication number | Publication date |
---|---|
EP3219072A1 (en) | 2017-09-20 |
ES2882125T3 (en) | 2021-12-01 |
US20170324772A1 (en) | 2017-11-09 |
CN107209831B (en) | 2021-02-05 |
US20160142428A1 (en) | 2016-05-19 |
EP3219072B1 (en) | 2021-06-09 |
US11044268B2 (en) | 2021-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107209831A (en) | System and method for recognizing network attack | |
EP3219068B1 (en) | Method of identifying and counteracting internet attacks | |
US8893282B2 (en) | System for detecting vulnerabilities in applications using client-side application interfaces | |
CN112910857B (en) | Method for verifying security | |
US20180219907A1 (en) | Method and apparatus for detecting website security | |
Abikoye et al. | A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm | |
US9614862B2 (en) | System and method for webpage analysis | |
US8291500B1 (en) | Systems and methods for automated malware artifact retrieval and analysis | |
US20170048272A1 (en) | Fraud detection network system and fraud detection method | |
CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
EP3021550A1 (en) | System and method for identifying internet attacks | |
Barua et al. | Server side detection of content sniffing attacks | |
WO2019083950A1 (en) | Systems and methods to detect and notify victims of phishing activities | |
CN110417718A (en) | Handle method, apparatus, equipment and the storage medium of the risk data in website | |
CN107612926A (en) | A kind of a word WebShell hold-up interception methods based on client identification | |
CN108322420B (en) | Method and device for detecting backdoor file | |
Khazal et al. | Server Side Method to Detect and Prevent Stored XSS Attack. | |
US9904661B2 (en) | Real-time agreement analysis | |
CN111314298A (en) | Verification identification method and device, electronic equipment and storage medium | |
CN111488580A (en) | Potential safety hazard detection method and device, electronic equipment and computer readable medium | |
Fung et al. | Scanning of real-world web applications for parameter tampering vulnerabilities | |
JP2018109795A (en) | Access management device, access management method, and computer program | |
CN109981563A (en) | A kind of automatic intelligent method for digging of radio and television key message infrastructure network security breaches |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: Milan Italy Patentee after: Clive associates Inc. Address before: Trento Patentee before: Clearfy S.R.L. |
|
CP03 | Change of name, title or address |